For many U.S. government agencies
charged with defending networks from
intrusion and corruption, cyber defense
mainly involves protecting information
technology (IT) networks.

But for the U.S. Navy, cyber defense is a broader
concern: protecting the hull, mechanical and electrical
systems (HM&E) of its ships and the combat systems
of its ships and aircraft, with the consequences of failure including loss of control, damage, injury and death.
Cyber defense also must be reconciled with the Navy’s
initiatives to seamlessly network its forces.

Naval Sea Systems Command (NAVSEA) and Naval
Air Systems Command (NAVAIR), among other commands, have the major responsibility of integrating
cyber defense in the Navy’s ships, aircraft, weapons
and combat systems. They have formed cyber councils
to figure out the ways to defend the platforms and systems from cyber attack, from back-fitting defenses in
legacy systems to designing in cyber defense up front
in new systems.

“I look at warfare systems developed by PEO
IWS [Program Executive Office-Integrated Warfare
Systems] and the other [systems commands] and
certify those for all Navy surface ships,” said Bill Williford, who until January was the director for Integrated
Warfare Systems Engineering for NAVSEA as well as
the technical authority for the PEO IWS, among other
titles. He now is executive director of Marine Corps
Systems Command.

“What we were attempting to do is use our normalprocesses that we use for certification for warfare sys-tems and systems engineering and add cyber securityas part of that system engineering process,” he said.“We see cyber security as another discipline within thesystem engineering process that we want to add to ourWilliford noted the challenges of adding cyber securityto what he calls the three fleets: the new-constructionfleet, the future fleet and the in-service fleet.

“With the in-service fleet, we’ve got to figureout a solution to handle our legacy systems that arealready in the fleet today,” he said. “With the new-construction fleet, we’ve got a little bit more timeto figure out a solution. With the future fleet, thoseprograms coming down the line, we’ve got a little bitof time to put cyber specifications and capabilities inthere as we build those platforms.”Williford said cyber vulnerability in the informationsystems is similar to that in the combat systems andHM&E side, but with some stark differences.

“In information systems today, you’re trying to getinformation/data to the right place, but if it’s delayedby a little bit, it’s not a problem,” he said. “With theweapons systems, navigation, HM&E side, you havereal-time systems. As a control system, you’re makingsomething happen: a gun shoot; a missile fly; a gener-ator go up and down in capability; a propulsion systemgiving me more propulsion or not; steering the ship.Those types of things are real-time capabilities.”NAVSEA approached the National Institutes forStandards and Technology (NIST) to begin to developcyber-security standards.

“Based on threats in the past, what the NIST instruction told us to do is — it was pretty simple — separate
information systems from control systems, because getting into one can easily get you into the other if you’re
totally connected,” Williford said. “It doesn’t mean
disconnect from the information systems, but separate
them. That means probably a physical boundary between
information systems and control systems so that you
could control the data flow as it comes back and forth.

“The impact to a control system, in my mind,
would be a starker impact than it would be for an
information system on an afloat platform,” he said.
“That’s one of the reasons that we looked at NIST and
we said, ‘we want to segregate these systems.’